Secure Pervasive Social Networking based on ... - Semantic Scholar

Secure Pervasive Social Networking based on MultiDimensional Trust Levels Zheng Yan

Mingjun Wang

Valtteri Niemi

Raimo Kantola

The State Key Lab of ISN, Xidian University, China Department of Comnet Aalto University Espoo, Finland [email protected]

The State Key Lab of ISN Xidian University Xi’an, China wangmingjun1987@hotm ail.com

Department of Mathematics and Statistics University of Turku Turku, Finland [email protected]

Department of Communications and Networking Aalto University Espoo, Finland [email protected]

Abstract— Mobile Ad Hoc Network (MANET) is becoming a generic platform for pervasive social networking (PSN). It is important to secure communications in PSN for crucial instant social activities. However, both centralized and distributed security solutions for PSN are impractical due to the lack of connection to a central party in urgent situations or heavy traffic and processing load for key management that is caused by the dynamic changes of PSN topology and node trust. Applying pseudonyms for PSN nodes exacerbates this situation. How to automatically control data access in a secure and efficient way is a challenge. For effectively securing PSN, the following two fundamental requirements have to be met: 1) Controlling data access should be based on trust relationships and must be flexible; 2) Key management should be done with sufficiently low computation and communication cost. In this paper, we utilize two dimensions of trust levels either evaluated by a trusted server or individual PSN nodes or both to control PSN data access in a heterogeneous manner on the basis of attribute-based encryption (ABE). We formally prove the security of our scheme based on the security of a distributed ABE scheme by Müller et al. and analyze its performance and computational complexity. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under relevant system and security models. Index Terms— Trust; trust level; access control; pervasive social networking; MANET.

I. INTRODUCTION The Mobile Ad Hoc Network (MANET) has a good prospect of becoming a practical platform for instant social activities [1]. Because group mobility is very common in modern life, a social group could be instantly formed through MANET by not only people socially connected, but also strangers physically in proximity. For example, a user could chat with strangers nearby to satisfy instant social needs. This kind of pervasive social networking (PSN) is an essential complement to Internet social networking and very valuable for mobile users, especially when the Internet or cellular networks are temporarily unavailable or costly to access. Trust plays an important role in PSN for reciprocal activities among nearby strangers. It helps people overcome perceptions of uncertainty and risk and engages in "trust-

related behaviors". During the instant social activities, users are not necessarily acquaintances but more likely strangers. Therefore the users need to balance between benefits received in such reciprocal activities and risks related to communicating with strangers. In this context, it is important to figure out the level of trust for secure communications among PSN nodes. Social networking based on MANET has been studied in the literature, e.g., AdSocial [2] and Junction [3] that provide a PSN platform. However, trust and reputation aspects in PSN are not seriously considered in these projects. Traditional online social networking systems (e.g., Facebook) have not concerned instant social communication data protection. Herein, trust is a measure derived from direct or indirect knowledge/experiences on earlier interactions of entities and is used to assess the level of belief and dependence put into an entity. Based on the theory of trust evolution, the best survival strategy that produces largest benefits is to cheat when strangers meet [4]. This applies particularly when one expects not to meet another party again. Applying pseudonyms for PSN nodes exacerbates this situation. With this fundamental expectation, making cooperative behavior dominant in PSN seems to require a long term memory of social behaviors. A centralized trust management system can provide this function by applying solid identity management. In our previous work, we propose a trust management system to generate a local trust level (LT) based on locally accumulated information at PSN nodes and a more accurate general trust level (GT) at a trusted server (TS) based on historical accumulated social information and unique node identifiers in order to encourage good behaviors in PSN [5]. But we did not solve the issue about securing communications among trustworthy nodes. In order to avoid malicious eavesdropping by untrustworthy nodes, it is essential to secure communications in PSN. Notably, MANET is a self-organized system. It may not connect to a centralized server in many situations (e.g., disasters). Thus, an access control solution depending on a centralized server is not applicable in some situations due to unavailability of server connection. Another weakness of this solution is that the server could be the target of DoS/DDoS or other kinds of attacks. Once the server is broken down, the

reliability of the whole system could be badly influenced. However, setting up a server is helpful in practice for identity and key management, and precise trust evaluation based on long-term experiences [5]. How to make use of this advantage and meanwhile overcome the weakness of such setting is an issue of practical significance. On the other hand, a pure distributed access control solution for PSN also has weaknesses. Due to the dynamics and changes of PSN topology, node pseudonyms and trust relationships, keys used for communication data protection need to be frequently updated and distributed to each eligible node. This introduces a heavy traffic and processing load, which may cause a serious performance bottleneck. How to automatically control data access in a secure and efficient way in PSN is a challenge. In this paper, we utilize two dimensions of trust levels: either general trust evaluated by TS or local trust evaluated by individual PSN nodes or both to control PSN data access in a heterogeneous manner on the basis of Attribute-Based Encryption (ABE) [6-9]. Any PSN node can select other nodes with at least a minimum level of local and/or general trust for secure communications. In the case that the TS is available and the node would like to control its data access only based on GT, the GT controlled access keys are generated and issued by the TS for encrypting and decrypting the message encryption key. In the case that the server is not available, each node generates the encryption key and corresponding personalized secret keys for eligible nodes based on the LT. In the case that the TS is available and the node would like to control its data access by both GT and LT, it protects the message encryption key with the keys generated based on both GT and LT. Specifically, the contribution of this paper can be summarized as below: 1) We motivate securing PSN by controlling its data access in a heterogeneous manner based on two dimensions of trust levels in different social networking situations. 2) To the best of our knowledge, our scheme is one of the first to secure PSN data communications in a holistic, flexible, scalable and effective way. Our scheme achieves controlling data access either in a centralized or distributed manner or both. 3) We prove the security and justify the performance of our proposed schemes through extensive analysis and security proof. The rest of the paper is organized as follows. Section II introduces the system and threat model and our design goals. Then we provide the detailed description of our scheme in Section III. Section IV gives the security analysis and performance evaluation, followed by Section V that overviews related work. Finally, conclusion is presented in the last section. II. PROBLEM STATEMENT A. System and Threat Model We consider a PSN system involving two different kinds of entities, as illustrated in Fig. 1: the PSN nodes that interact with each other for instant social communications; a trusted server (TS) that has functions and capability that the PSN

nodes do not have and is trusted to provide identity and key management, as well as trust management. It can collect sufficient information to conduct accurate trust evaluation [5]. As integrity and/or confidentiality of some instant social communications are crucial, it is important to ensure communication data security in PSN. To save computation resources and processing burdens, PSN nodes may resort to the TS through mobile Internet to manage identities, keys and trust relationships for ensuring secure PSN communications in various situations. To be able to provide integrity and privacy in PSN communications, nodes should be able to authenticate each other using pseudonyms. We assume that TS is reliable and trustworthy for preserving the private data of nodes by deploying secure data protection technologies [10, 11]. This assumption is based on existence of business incentives. The TS is assumed to have abundant storage capacity and computation power. It is available for a PSN node to register itself into the system although its availability is not essential during PSN communications. The communications between the nodes and TS is secure by applying an existing security protocol such as SSL. Each node registers at the TS with a unique identifier and the TS can map it with its current pseudonym used in PSN [5]. The nodes may not trust each other. Some nodes may maliciously eavesdrop on PSN communications to pursue personal benefits. Social communications among trustworthy nodes are expected. In addition, each node is issued with a public/secret key pair by the TS during node registration. The public key or a derived one-off public key is shared with other nodes if needed for secure communications. Delegation is not allowed among PSN nodes since they are mostly strangers. B. Design Goals To secure PSN under the aforementioned model, our design should achieve the following security and performance goals: 1) Flexibility and comprehension: the control of data access based on trust relationships in PSN should be flexible no matter whether the TS is available or not. The system should support PSN data access control in either a centralized manner or a distributed manner or both; 2) Heterogeneity: the proposed scheme supports various access control demands in PSN: general access control policies decided by the TS and/or personal access control policies handled by individual nodes; 3) Security: The PSN data can only be accessed by eligible nodes that are trustworthy enough; 4) Lightweight: the scheme secures PSN with minimum computation and communication overhead. III. THE PROPOSED SCHEME This section presents a flexible data access control scheme to secure PSN. After introducing a trust management framework for PSN that can support the deployment of the proposed scheme, we introduce notations, brief preliminaries and definitions. Then, we present our scheme to control data access in a flexible and heterogeneous manner.

A. Trust Management Framework Fig. 1 illustrates a trust management framework for PSN [5]. It is a hybrid infrastructure in order to utilize the advantages of both distributed and centralized reputation architecture. At each node, a User Behavior Observer records node social behaviors; the Social Networking UI (i.e., a set of PSN applications) provides a user interface for conducting instant social networking; Communication Reporter and Voter report the social behaviors and local trust information to the TS; a Trust Evaluator evaluates the LT of other nodes that is visualized via UI to the node user; a Trust Extractor receives a trust token from TS. This token contains the GT of the node (digitally signed by TS), public and personalized secret keys for data access control, and the validity period of the keys; a Dataset stores all data related to the above functions in a secure manner. In addition, a Node Profile Manager is applied to maintain the personal information of a node. It can communicate with the TS to register the node into the system and update the node’s trust token. Node x

Trusted Server

Communication Reporter and Voter Trust Evaluator

Trust Extractor

User Behavior Observer

Node Profile Manager

Dataset

MANET Social Networking (UI)

Trust Visualization (UI)

Trust Distributor

Information Receiver Trust Generator/Pr edictor

TS Database

Node ID Manager

Fig. 1. Trust management framework in PSN

At the TS, a Trust Generator/Predictor calculates the GT of the node and identifies malicious nodes. A Trust Distributor distributes the trust token to each node periodically. A Node ID Manager handles node registration and issues new node pseudonyms and keys (by request or periodically). An Information Receiver collects the social records reported by the nodes and saves them into a Database that also stores the trust token of each node and its unique identifier, pseudonyms and keys, etc. Detailed design and implementation, as well as social acceptance study of the above framework are described in [5]. B. Notations/Preliminaries and Definitions Bilinear pairing: Let G and GT be two cyclic multiplicative groups with the same prime order p, that is, |G| = |GT| = p. Let g be a generator of G. Let us have a bilinear map e: G×G→GT, with the following properties: • Bilinear: for all u, v∈G and a, b∈Zp, e(ua, vb) = e(u, v)ab. • Non-degenerate: e(g, g)≠1 for the generator g. • Computable: there is an efficient algorithm to compute e(u, v) for any u, v∈G. Definition: General trust level (GT) is the trust level evaluated by the TS according to all accumulated information based on a unique node identifier.

Definition: Local trust level (LT) is the trust level evaluated by the PSN node according to the information locally accumulated based on node pseudonyms. Herein, we divide trust into discrete levels, e.g., GT_i represents the i-th level of GT, 0, Ī , where Ī is the maximum level of GT. So is for LT. Obviously, GT is more accurate than LT if the node pseudonyms are frequently changed in PSN. C. The Proposed Scheme Centralized and distributed data access control schemes have intrinsic weaknesses as described in Section I. In addition, the change of node pseudonyms causes inaccurate or inconsistent trust evaluations at nodes, which makes distributed data access control insufficient. Particularly, a common drawback of both schemes is that they can only control PSN data access based on one dimensional trust level, which may not be sufficient to achieve expected security and support various contexts in a holistic way. To effectively secure PSN, we resort to controlling the data access based on two dimensions of trust levels by applying ABE technique [6-9], particularly distributed ABE [8]. We note that neither symmetric nor public key based encryption is suitable for PSN because they are not efficient for either key management or multicasting/broadcasting messages to a group of nodes. ABE is a new cryptographic technique that identifies users by a set of attributes rather than an exact identity. Each data item is encrypted with an attribute-based access structure, such that only the users whose attributes satisfy the access structure can decrypt the data. For example, for data D, encrypted with the access structure a1 or a2, nodes with either attribute a1 or attribute a2, can decrypt D. ABE has developed to two branches, key-policy ABE (KP-ABE) [7] and ciphertext-policy ABE (CP-ABE) [6, 8]. Recently, ABE has been applied in secure data storage for cloud computing in academia [10, 11]. But it hasn’t been applied to secure PSN based on trust levels and in industry due to complexity. Herein, we illustrate our scheme with CP-ABE. Notably, KP-ABE could also be applied to implement our scheme. Adopting CPABE saves efforts of key management, while applying KPABE could save the computation costs of PSN data encryption. Overview We propose to use either LT or GT or both to control the access of data in PSN. Any PSN node can select other nodes for secure communications by defining a minimum level of local and/or general trust that those nodes must have. The node with a lower trust level cannot access the data sent from it. The GT issued by the TS can play as the initial trust level for the evolution of LT. Thus, the system can still securely control data access in PSN even though the TS is not available for a while. During system setup, a public master key PK and a secret master key MK are generated; PK is available to every system entity, whereas MK is only known to the TS. Every node u maintains a public key PK_u, which is used by TS to generate personalized secret attribute keys, and a secret key SK_u used in the decryption operation related to PK_u. Generation of PK_u and SK_u is the task of the TS. It verifies the unique

identifier of each node before these two keys are generated and issued during node registration into the system. The TS maintains a secret key SK_ts that is used to issue secret attribute keys to nodes based on GT. The node secret key SK_u is used to issue secret attribute keys to other nodes based on LT. It is also used to generate the public key of attribute LT of u. For every attribute with representation GT there is a public key set, denoted PK(GT), which is issued by the TS and used to encrypt communication data in order to control access based on GT. For every attribute with representation (LT,u) there is a public key set, denoted PK(LT,u), which is generated by node u and used to encrypt communication data of u, aiming to control access based on LT evaluated by u. To prevent collusions of insider attackers (e.g., malicious PSN nodes), every node gets a different secret attribute key. The corresponding secret attribute key SK(GT,u) of GT, personalized for eligible node u, is issued by the TS to u based on its GT. A secret attribute key of LT, issued for an eligible node u’ by u is denoted as SK(LT,u,u’). We call the set of secret keys that a node u’ has (i.e., the keys SK_u’, SK(GT,u’), and SK(LT,u,u’)) as its key ring. Scheme Details The scheme consists of eight fundamental algorithms as described below. Setup. The Setup algorithm chooses a bilinear multiplicative group of prime order p with generator g and a pairing T . Next it chooses a random point . The public key of the P and a random exponent y , while the secret system is PK , T , e, g, P, e g, g master key is given by MK g . It also chooses a random for the TS and a random hash function secret key SK_ts 0,1 from a finite family of hash functions. SK_ts The choice is kept secret by TS. InitiateNode PK, MK, . The InitiateNode algorithm takes as input the public key PK, the master key MK, and a node identifier . This algorithm randomly chooses a secret mk and outputs the public key PK_ g and the secret key SK_ MK · P g ·P . IssueGeneralTrustPK PK, GT, SK_ts . This algorithm is automatically executed by the TS whenever it is the time to issue PK(GT) by checking the validity period of the previously issued keys. The algorithm checks the access policy of TS related to GT . If the result of the check is negative, IssueGeneralTrustPK returns NULL, else it returns the public GT key PK GT_ for each GT attribute GT_ , which consists of two parts: PK GT_ = PK GT_ ' = g HSK_ts GT_ , PK GT_ " e g, g HSK_ts GT_ . , where Ī Note that PK GT PK GT_ , 0, Ī is the maximum level of GT. IssueGeneralTrustSK PK, GT, SK_ts, PK_ . This algorithm is automatically executed by the TS whenever it is time to issue the secret GT keys. This is noticed by checking against the validity period of the previously issued keys. The algorithm checks in which GT the node is located, e.g., if is located in a general trust level (I is an integer and I∈[0,

Ī ]), we said is eligible for the attributes GT_ . Then the algorithm outputs a corresponding secret GT key for . HSK_ts GT_ SK GT_ , PK_ HSK_ts GT_ g . Note that can check the validity of this secret key by testing e SK_ , PK GT_ PK GT_ · e P, SK GT_ , . IssueLocalTrustPK PK, LT, SK_ . This algorithm is executed by node whenever it would like to control the access of its data based on a locally evaluated trust level. This algorithm also chooses uniformly and randomly a hash function HSK_ 0,1 from the finite family of hash functions, which is then independent of HSK_ , and returns the public LT key for each attribute LT_ , PK LT_ , u , which also consists of two parts: PK LT_ , = PK LT_ , ' = g HSK_u LT_ , PK LT_ , " e g, g HSK_u LT_ . Note that PK LT, PK LT_ , , 0, Ī , where Ī is the maximum level of LT. We set Ī Ī Ī for simplifying the system and presentation. IssueLocalTrustSK PK, LT, SK_ , PK_ ' . This algorithm is executed by node by checking the eligibility of '. It checks in which LT the node ' is located, e.g., if is located in LT (I is an integer and I∈[0, Ī ]), we said is eligible for the attribute LT_ , . Then the algorithm outputs a corresponding secret LT key SK LT_ , , for user ': HSK_ LT_ SK LT_ , , PK_ HSK_ LT_ g Encrypt PK, M, AA, PK , PK , . The Encrypt algorithm takes as input the public key PK, a plain data M, an access policy AA and the public keys PK GT and PK LT, corresponding to the general and local trust attributes occurring in AA . The algorithm encrypts M with the policy AA and outputs the ciphertext CT. This process is conducted by node to protect its PSN communication data. Note that either PK GT or PK LT, or both can appear in the Encrypt algorithm, which depends on the access control policy defined in AA. Concretely, if the user would like to control its data access only based on GT, this algorithm can be simplified as Encrypt PK, M, AA, PK GT . The access policy AA can be described as AA GT , where n represents the number of selected GT, GT represents a general trust level set by to control the access, (e.g., GT GT_ means that gives the nodes with GT_ the authority to decrypt the ciphertext. If node u wants to control data access only based on LT, AA can be described as AA LT , where LT represents a local trust level set by to control the access, and the algorithm is simplified as Encrypt PK, M, AA, PK LT, . In the case that the data access is controlled by both GT and LT, the access policy AA is written as AA GT LT , where n represents the number of combined trust levels. In this case, AA is described as a Disjunctive Normal Form (DNF), and the Encrypt Ī 5, AA algorithm is kept as its original. E.g., if Ī GT_4 LT_4 GT_5 LT_5 GT_5 LT_4 GT_4 LT_5

means the nodes with GT 4 and LT 4 can be granted access rights. The Encrypt algorithm iterates over all j 1, , n , generates for each conjunction a random value and constructs CT as R CT

E

M · PK GT

E

PR ， PK GT

E

R

· PK LT , R

· PK LT ,

，

.

Where PK GT and PK LT , denote the public attribute keys for GT and LT . If AA belongs to the first type of access 1; if it falls into the second control policy, we set PK LT , type, we set PK GT 1. The ciphertext CT is obtained as the tuple CT CT , , CT . Decrypt PK, CT, AA, SK_ ', SK GT, ' , SK LT, , ' . The Decrypt algorithm takes as input a ciphertext CT, an access policy AA, under which CT was encrypted, and a key ring SK_ ', SK GT, ' , SK LT, , ' for node '. The algorithm first checks which kind of access policy is used, and then detects whether any conjunction of AA can be satisfied by the given attributes, e.g., if AA is the third kind of access policy, the algorithm checks whether the input secret keys SK GT, ' and SK LT, , ' match with both attributes occurring in GT LT (1 j n). If this is not the case, the algorithm outputs NULL, otherwise M

E ·

e E ′ , SK GT , ' · SK LT , , '

e E ′′ , SK_ ' It is easy to verify that the decryption is correct [8]. Let a : HSK_ts GT HSK_ LT . Then, E M · e g, g R , R g and E ′

e E , SK GT , ' · SK LT , , ' E ·

e E

′′

·

e P, g R

Trusted Server

R

·

R

′

,g · P

′

R R

Node 2

Keys

Frame 1. Check AA, determine the decryption means; 2. Decrypt the Frame using Decrypt with SK(GT_i, u). Send a request QT to TS to quit from PSN

Fig. 2. Control PSN data access based on general trust

M.

D. Procedures We illustrate securing PSN based on two dimensions of trust levels in three cases. Case 1: Data Access Controlled by GT

Node u

Keys

QT 1. Delete node u from the system and notify other nodes; 2. Check a system clock frequently; Keys & valid node pseudonyms 3. When old keys are going to expire, reevaluate GT for each remainder node; Keys & valid node pseudonyms 4. Re-generate proper public and secret GT keys for remainder nodes; PSN communications with new keys 5. Send the new keys to eligible nodes.

′

′ e P, g · e g, g R Herein, if the node controls its data access only based on GT, SK LT, , should be set as 1, HSK_u LT is zero. If the node controls its data access only based on LT, SK GT, should be set as 1, HSK_ GT is zero. If the data access is controlled by both GT and LT, the Decrypt algorithm is kept as its original.

…

Keys

1. Define AA, encrypt a message using DEK; 2. CT = Encrypt(PK, DEK, AA, PK(GT)); 3. Generate Frame={ID, AA, CT, Frame {Message }DEK}; 4. Broadcast the Frame.

e PR , g e g

Node 1

1. PK, MK, SK_ts ← setup(1k); 2. PK_u, SK_u ← InitiateUser(PK, MK, u); 3. Evaluate GT for each node and set the access control policy of TS; 4. Generate the public GT key for suitable attributes GT_i based on the TS policy: PK(GT_i)← IssueGeneralTrustPK(PK, GT_i, SK_ts); 5. Generate the secret GT key for eligible nodes based on GT: SK(GT_i, u) ← IssueGeneralTrustSK(PK, GT_i, SK_ts, PK_u); 6. Send suitable PK(GT_i) to all nodes and SK(GT_i, u) to eligible nodes.

,SK_ '

M · e g, g M · e g, g

In the case that the data access is only controlled by GT, the GT related keys (i.e., encryption public keys and personalized decryption keys) are generated and issued by the TS. Fig. 2 shows the procedure that contains the following steps. System Setup: TS calls the Setup algorithm to create PK, MK, and SK_ . PK will be made public to all nodes, and MK, SK_ts will be kept secret by the TS. New Node Grant: When a new node wants to join the system, the TS assigns it a unique identifier , and calls the InitiateNode algorithm to generate the public key PK_ and the secret key SK_ , and then sends these two keys and system credentials to . Issue Attribute Keys: The TS generates the attribute keys by checking the validity period of previously issued keys as follows. • Evaluate the GTs of nodes using the method proposed in [5] or alternatively by other methods [12] and set an access control policy of TS (e.g., GT I ) for saving communication cost of key exchanges; • Call IssueGeneralTrustPK to generate the public GT keys for suitable attributes GT_ , PK GT_ based on the TS policy; • Call IssueGeneralTrustSK to generate the secret GT key SK GT_ , for each eligible node u based on its GT; • Store the node unique identifier u, the current pseudonym applied by , its GT and SK GT_ , in the TS Database with a validity period, shown in Table I. • Send the proper keys, e.g., the public GT keys PK GT_ I',…,Ī to all nodes and the secret GT keys SK GT_ , to the eligible nodes.

TABLE I. FORMAT OF A NODE ITEM IN TS DATABASE u

pseudonym

GT_i

SK(GT_i, u)

validity period

Secure PSN Communications (through encryption): A node sets an access policy AA regarding GT. As in [7], a node first encrypts a PSN message using a symmetric key DEK, then encrypts the DEK using the Encrypt algorithm, generates a message frame with a node pseudonym, such as Frame={pseudonym, AA, CT, {Message}DEK}, and finally broadcasts the frame in PSN. Secure PSN Communications (through decryption): On receiving the frame from the source node, a node decrypts the

encrypted message by first calling the Decrypt algorithm to obtain DEK and then decrypting the encrypted message using DEK. Quit from PSN: A node may quit from the PSN at any time by sending a request to TS. The TS verifies the identity of the node, inform its quit to other nodes and will not send any new keys to it after its current keys are expired. Re-issue GT Keys: In order to solve the security problem caused by node revocation and trust changes, the TS periodically checks a system clock and updates the public GT key and personalized secret GT keys as below: • Checks the validity period of PK(GT); • If it runs out, the TS re-evaluates the GTs of remainder nodes; • The TS calls IssueGeneralTrustPK and IssueGeneralTrustSK to re-generate PK GT_ for each suitable attribute and corresponding secret GT keys SK GT_ , for eligible nodes and then resets the validity period of new keys; • Sends the new keys and valid pseudonyms to the eligible nodes. The PSN nodes continue secure communications with the new keys once their validity period starts. Case 2: Data Access Controlled by LT When the TS is not available, a node generates the encryption key and corresponding personalized secret keys based on LT. It broadcasts the encrypted message in PSN and issues the secret keys for those nodes that satisfy its access control policy. In case that the LT of some nodes decreases, the node will regenerate suitable keys for encrypting and decrypting subsequent communication data and then re-issue new secret keys to eligible nodes if requested but not issued before. Fig. 3 shows the procedure that contains the following steps. Node u

Node u’

…

Frame Frame 1. Check AA, determine the decryption means; 1. Check AA, determine the 2. Generate request REQ for the decryption means; secret LT key, REQ = {ID, PK_u}; 2. Generate request REQ for the 3. Wait for the response from node n. secret LT key, REQ = {ID, PK_u’}; 3. Wait for the response from node n. REQ REQ Decrypt the Frame with SK(LT_i, n, u).

RESP Decrypt the Frame with SK(LT_i, n, u’).

RESP

PSN communications with new keys

Node n 1. Define AA; 2. Generate the public LT key for suitable LT attributes PK(LT_i, n) ← IssueLocalTrustPK(PK, LT_i, SK_n); 3. Encrypt a message using DEK; 4. CT = Encrypt(PK, DEK, AA, PK(LT, n)); 5. Generate the Frame = {ID,AA,CT,{Message}DEK}; 6. Broadcast the Frame.

1. Evaluate the LT of requesting nodes; 2. Generate the secret LT key for nodes if their LT satisfies AA: SK(LT_i, n, u)← IssueLocalTrustSK; 3. Encrypt SK(LT_i, n, u) with PK_u; 4. Send RESP= {SK ( LT, n, u )}PK_u to node u. 1. 2. 3. 4. 5.

Check the clock frequently; Re-evaluate LT for each remainder node; Re-generate the public LT keys if needed; Encrypt data using new keys; Broadcast the ciphertext.

Fig. 3. Control PSN data access based on local trust

Initiate Communication: A node sets an access policy AA with regard to LT and calls IssueLocalTrustPK to generate the public LT key PK LT_i, for suitable attributes LT_i. Secure PSN Communications (through encryption): This step is similar to the protocol represented in Case 1 except that the node applies different encryption keys. In this case, the node encrypts the message using DEK and then encrypts DEK with PK LT, ,i.e., calls Encrypt PK, M, AA, PK LT,u . Request Decryption Key: After receiving the frame from u, node checks the LT of , LT_ . If LT_ LT , where

LT denotes the threshold set by to determine whether to communicate with , the node will not communicate with and drops the frame; If LT_ LT , sends a request to for the secret LT key. Issue Secret Attribute Keys: On receiving the request, the node checks the LT of . If the LT of satisfies with AA and the requested key is not issued before, calls IssueLocalTrustSK to generate and issue the secret LT key SK LT, , ' for '. Secure PSN communications (through decryption): The eligible node decrypts the message by calling the algorithm Decrypt PK, CT, AA, SK_ ', SK LT, , ' . Re-Generate LT Keys: The node periodically checks the clock and updates LTs, the public LT keys PK LT, and the secret LT keys SK LT, , ' as follows: • Checks the validity period of LT; • If it is the time to re-evaluate LT, re-evaluates the LTs of other nodes [5]; with the previous • Then compares the new LT LT_ one LT_ . For every other node u’, if LT_ , replaces the LT of with the new one and LT_ will not re-issue the encryption keys. Else, if LT_ LT_ and LT_ LT_u V , where V is a threshold of value variation, the node will not only replace the local trust value, but also re-build an access policy if needed (e.g., when u wants to restrict its data access control) and re-generate PK LT_i, based on the new access policy; • The node will encrypt its messages with the new PK LT_i, and generate SK LT_i, , ' if it is requested. Case 3: Data Access Co rolled by both GT and LT In the case that the TS is available and the node would like to control communication data access based on both GT and LT, the node achieves this based on the keys issued by both TS and itself. Fig. 4 illustrates the procedure. The first three steps are the same as System Setup, New Node Grant, and Issue Attribute Keys as described in Case 1. Secure PSN Communications (through encryption): A node sets an access policy AA including both GT and LT. It calls IssueLocalTrustPK to generate PK LT, . Then it encrypts the message using both PK GT and PK LT, and broadcasts the frame in PSN. The nodes who want to communicate with request the decryption key from . The steps are the same as Request Decryption Key and Issue Secret Attribute Keys in Case 2. Secure PSN Communications (through decryption): The node that gets the decryption key from successfully decrypt the message using SK GT_i, and SK LT_i, , ' . Quit from PSN: Some node may quit from the PSN at any time by sending a request to TS. The TS verifies the identifier of the node, inform its quit to other nodes and will not send any new keys to it after its current keys are expired. Re-issue GT keys: The TS implements this step in the same way as described in Case 1. Re-Generate LT Keys by nodes: The node implements this step in the same way as in Case 2.

The PSN nodes continue secure communications with the new keys when their validity period starts. Trusted Server

Node u

Node u’

1. PK, MK, SK_ts ← setup(1k ); 2. PK_u, SK_u ← InitiateUser(PK, MK, u); 3. Evaluate GT for each node and set the access control policy of TS; 4. Generate the public GT key for suitable attributes GT_i based on the TS policy: PK(GT_i)← IssueGeneralTrustPK(PK, GT_i, SK_ts); 5. Generate the secret GT key for eligible nodes based on GT: SK(GT_i, u) ← IssueGeneralTrustSK(PK, GT_i, Keys SK_ts, PK_u); 6. Send suitable PK(GT_i) to all nodes and Keys SK(GT_i, u) to eligible nodes. 1. Define AA; 2. Generate the public LT key for suitable LT attributes PK(LT_i,u) ← IssueLocalTrustPK(PK, LT_i, SK_u); 3. Encrypt the message using DEK; 4. CT=Encrypt(PK, DEK, AA, PK(GT), PK(LT,u)); 5. Generate the Frame Frame={ID,AA,CT,{Message }DEK}; 6. Broadcast the Frame.

1. 2. 3. 4. 5.

1. Evaluate the LT of u’; 2. Generate the secret LT key SK(LT_i,u,u’) ← IssueLocalTrustSK; 3. Encrypt SK(LT,u,u’) with PK_u’; 4. Send RESP= to u’. Delete revoked nodes from the system and inform this to other nodes; Keys & valid node pseudonyms Check the clock frequently; When old keys are going to expire, reKeys & valid node pseudonyms evaluate GT for each node; Re-generate proper public and secret GT 1. Check the clock frequently; keys for nodes; 2. Re-evaluate LT for each remainder node; Send the new keys to eligible nodes. 3. Re-generate the public LT keys if needed;

REQ RESP

1. Check AA, determine the decryption means; 2. Generate request for the secret LT key: REQ = {ID, PK_u’}; 3. Wait for the response from node u; Decrypt the Frame with SK(GT_i,u’) and SK(LT_i,u,u’).

4. Encrypt data using new keys; 5. Broadcast the ciphertext. PSN communications with new keys

Fig. 4. Control PSN data access based on both general trust and local trust

IV. SECURITY ANALYSIS & PERFORMANCE EVALUATION The security goal of our scheme is to guarantee that only the nodes whose trust levels (GT, LT or both) satisfy the access control policies can access the message in PSN. A. Security Proofs Fine-Grainedness of Access Control Our scheme can achieve fine-grained access control. Various access policies regarding GT or LT can be defined and enforced. We remove the complexity of hierarchical attributebased fine-grained access control [11] by replacing it with two dimensions of trust-levels. We evaluate the trust levels according to many factors and simplify the ABE attribute structure by only considering the trust levels. This design not only reduces the complexity of the access policy description, but also keeps its expressivity. The computation complexity can be greatly reduced since LT evaluation has no exponentiation operations and GT evaluation is conducted at TS, not PSN nodes [5]. The computation of trust evaluation is much less complicated than embedding the trust-factor related attributes into the attribute structure of an ABE scheme. The proposed scheme can be flexibly applied into many scenarios by cooperating with a trust management framework. Data confidentiality In our proposed scheme, the PSN data are encrypted using symmetric DEKs, and the DEKs are encrypted using the Encrypt algorithm. Assumed that the symmetric key algorithm is secure, e.g., using a standard algorithm such as AES, the data confidentiality of our proposed scheme merely relies on the security of the Encrypt algorithm. It is customary to define security in a context like ours by using a model involving a game between two parties where one of the parties is an adversary who tries to get an advantage in the game. More specifically, we define the security model of our scheme as follows between an adversary and a challenger , where the challenger plays the role of either TS or the node who would like to control the access of data in PSN.

Setup. The challenger runs the Setup algorithm and gives the public key PK to the adversary . Phase 1. The adversary asks the challenger (particularly, in the role of the TS) for an arbitrary number of node keys. The challenger calls the InitiateNode algorithm for each requesting node and returns the resulting public and private node keys to . For each node, can request an arbitrary number of secret and public attribute keys (for either GT or LT or both), that creates by calling key generation algorithms, respectively. Challenge. The adversary submits two messages M and M and an access policy AA such that none of the nodes he created in Phase 1 satisfy AA. (If any node from Phase 1 satisfies AA, the challenger aborts.) The challenger flips a coin b, encrypts M under AA, and gives the ciphertext CT to the adversary. Phase 2. Like in Phase 1, the adversary may create an arbitrary number of nodes. He can also request more secret attribute keys (for either GT or LT or both) for the nodes he created in Phase 1 and Phase 2. The only restriction is if any secret attribute key would give the respective node a set of attributes that would satisfy AA, then the challenger aborts. As before, can always request any public attribute keys. Guess. The adversary outputs a guess b′ of b. As customary in similar settings, the advantage of in this game is defined in the probabilistic sense, i.e., the advantage is the difference between probabilities of correct guess by the adversary and correct random guess: Advantage = Pr b′ b 0.5. Now the scheme is secure in this security model if the advantage of the adversary is negligible whenever the adversary operates in probabilistic polynomial time. As customary, we use reductions between different games for proving security in our model. The hope is that we are able to make a reduction to a game where the advantage of the adversary is easier to compute. Hence, our proof has the following logical structure. We define another game, called the modified game. Then we make the hypothetical assumption that there exists a polynomial-time adversary 1 who has a non-negligible advantage in our original game. With the help of 1 we are then able to construct another polynomial-time adversary 2 who has a non-negligible advantage in the modified game. The final step is to show that such adversary cannot exist, from which it follows that our hypothetical assumption is not true, and therefore the advantage is negligible for every polynomially-bound adversary. Since the last part has already been proved in [8], i.e., no 2 has a non-negligible advantage in the modified game, we just need to show how to construct 2 from 1. We define a modified game as follows: The phases Setup, Phase 1, and Phase 2 are equal to the original game. In the Challenge phase, the adversary submits an access policy AA such that none of the nodes that he created in Phase 1 satisfy AA (but unlike the original game, M and M are not submitted). The challenger flips a coin b, and creates a ciphertext for the M· access policy AA , but instead of computing E

e g, g R according to our encryption algorithm, he computes E as e g, g R , if b 1 E e g, g θ , if b 0, where all elements θ are uniformly and independently chosen randoms from . Given now an adversary 1 that has an advantage in the original game, we can construct 2 as follows: In the phases Setup, Phase 1, and Phase 2, 2 forwards all messages he receives from 1 to the challenger (of the modified game) and all messages from the challenger to 1. In the Challenge phase, 2 receives two messages M and M from 1 and the challenge C, which is either e g, g R or e g, g θ ) from the challenger . Now 2 has to play the role of the challenger in the original game and therefore he flips a coin β and sends C′ Mβ · C to 1. When 1 outputs a guess β′ , 2 outputs as its own guess 1 if β′ β, or 0 if β′ β. If C e g, g R , Mβ · then 2’s challenge (in the game against 1) is C ′ e g, g R , which is a random encryption of Mβ under the public keys PK GT and PK LT, , and consequently 1 has advantage of guessing the correct β′ β. It follows that 2 has the same advantage in its own game. If C e g, g θ , then the challenge C ′ is nominally dependent of β but in fact C ′ could result from each of the messages M and M , with a suitable choice of the parameter θ .This implies that 1 cannot have any advantage in guessing β so the advantage of 2 is also 0. Thus, the overall advantage of 2 is Pr β′ β|b 1

′

Pr β

β|b

0

.

Now the existence of any 1 having a non-negligible advantage in the original game implies the existence of an adversary 2 who succeeds with non-negligible advantage as well in the modified game. In [8], it is shown that no 2 can distinguish between e g, g R and e g, g θ in polynomial time. So we can conclude that no 1 can have non-negligible advantage in our security model. B. Performance Analysis This section evaluates the performance of our proposed scheme in terms of computation complexity, communication cost, scalability and flexibility. Computation Complexity We analyze the computation complexity for the following general operations: setup, node authority grant, encryption, decryption and node revocation. For the algorithms Setup, InitiateNode, IssueGeneralTrustPK, IssueGeneralTrustSK, IssueLocalTrustPK and IssueLocalTrustSK, each contains a constant number of exponentiation operations on group . So the computation complexity of all these algorithms is 1 . The main computation overhead of encryption operation is the encryption of the message using the symmetric key DEK as well as the encryption of the DEK using the Encrypt algorithm. The complexity of the former depends on the size of the underlying message and is inevitable for any cryptographic

method. The algorithm Encrypt requires three exponentiation operations on group for each conjunction of AA . So the computation complexity of the encryption operation is 3 , where denotes the number of conjunctions in AA, 1 . The only computationally expensive operation presented in decryption operation is caused by computing exactly two bilinear pairings, no matter how complex the access policy is. This follows from the fact that only one CT needs to be decrypted. Thus the computation complexity of decryption is 1 . Table II summarizes the computation complexity of each system operation in our proposed scheme and compares it with other schemes. Since we cannot find similar work in the context of PSN, we compare our scheme with two ABE based schemes for cloud computing: Yu’s scheme [10] and HASBE [11]. In the table, N denotes the number of attributes in the key structure, S is the attribute set of protected data, Y is the set of leaf nodes in the access policy tree, X is the set of translating nodes of the policy tree, M be the number of sets in a key structure (in our case M=1 or 2), and L is the number of bilinear pairing. Compared to ABE schemes designed for cloud computing, our proposed scheme is very efficient. The main reason is we greatly simplify the attribute and policy structure by applying multi-dimensional trust levels and threshold-like control structure. TABLE II. COMPARISON OF COMPUTATION COMPLEXITY Operation Setup Node/user Grant Encryption Decryption Node/user Revocation

Our scheme 1 1 3 1 1

HASBE 1 2 2|Y| |X| varied 1

Yu’s scheme |Y| |Y| |S| max |L|, N |Y|

Communication Cost Ciphertext size is an essential aspect with regard to communication cost. In our scheme, Frame={pseudonym, AA, CT, {Message}DEK}. CT is composed of CT , each of which has three group elements on . AA consists of conjunctions and each one has only one or two elements (either GT or LT or both). Considering the limited number of levels of GT and LT adopted in practice, the structure of the ciphertext is pretty simple and the size is also reasonable. Additionally, we apply the access policy and trust evaluation to assist decisions on the need of communications for key generation and exchanges in order to minimize communication cost in various situations. Scalability and Flexibility In our proposed scheme, the data access control policy is as simple as related to two dimensions of trust levels. Thus, the computation complexity of encryption and decryption is greatly reduced. Our scheme is scalable for supporting various access control demands in PSN with trust management support. We reduce the complexity of cryptographic computation by integrating trust evaluation into fine-grained access control. Any complicated attributes that should be considered in the access control policy can be taken into account during the process of trust evaluation.

The goal of scalability can be further achieved since the complexity of each operation in our scheme, shown in Table II, is no longer dependent to the number of nodes in the system. Except for the encryption operation, the complexity of all other operations is 1 . Even for the encryption, our scheme 1 exponentiation operations. requires at most 3 Therefore, it can serve as an ideal and practical candidate solution for securing PSN environment. It is flexible for the proposed scheme to control data access in PSN no matter if there is TS connection after node registration. It can support distributed, centralized or hybrid access control based on either GT or LT or both. V. RELATED WORK Most existing work didn’t consider how to control social communication data access based on trust levels, especially in instant social networking scenarios [2, 3], e.g., EZSetup [13], Instant Community [14] and Familiar Stranger [15]. Some security and privacy protection solutions for on-line social networking, such as Facecloak are not suitable for solving the security issue for PSN [18]. Many solutions have been proposed to secure MANET. Previous work mainly focused on ensuring the security in MANET link layer (e.g., secure MAC protocols such as IEEE 802.11 series) and network layer, such as secure ad hoc routing protocols and packet forwarding solutions [16]. URSA provides ubiquitous and robust access control for MANET with a ticket-based approach. Each well-behaving node uses a certified ticket to participate in routing and packet forwarding. Nodes without valid tickets are classified as misbehaving and excluded from the access to the network-layer functionalities of routing and packet forwarding [17]. Our work focuses on securing node-to-node communications with data encryption in MANET transport layer based on the trust levels evaluated in its application layer. Trust evaluation and management can be applied to ensure MANET security, as a supplement to cryptographic measure. Though trust mechanisms can be used in cryptography based security solutions for MANET, such as malicious node detection, quality of information assessment, and node authentication [12], we seldom see a holistic access control scheme for MANET data communications like ours. VI. CONCLUSION In this paper, we introduced a scheme to secure PSN communications based on two dimensions of trust levels in a heterogeneous manner. The proposed scheme seamlessly incorporates a hybrid trust management framework for PSN by applying distributed ABE. Our scheme not only supports controlling PSN data access based on accurate general trust evaluation by an authorized party, but also achieves effective data protection based on the trust evaluated by PSN nodes. Moreover, the scheme supports applying node pseudonyms in PSN in order to ensure an expected level of privacy and security. The PSN can be automatically secured since the related cryptographic keys can be automatically managed

based on two dimensions of node trust levels, node revocation and the validity period of the keys. We formally proved the security of the scheme based on the security of distributed ABE by Müller et al. Extensive analysis shows that our scheme is highly efficient and provably secure under the existing security model. ACKNOWLEDGMENTS This work is sponsored by the grant K5051201032 and the initial grant of Chinese Educational Ministry for researchers returned from abroad.

REFERENCES [1] A. Ahtiainen, et al., “Awareness networking in wireless environments: means of exchanging information”, IEEE Veh. Technol. Mag., 4(3), pp. 48–54, 2009. [2] E. Sarigöl, O. Riva, P. Stuedi, and G. Alonso, “Enabling social networking in ad hoc networks of mobile phones”, Proc. VLDB Endow. 9 (2), pp. 1634–1637, 2009. [3] Junction. Harvard MobiSocial Group. http://openjunction.org/ [4] M.W. Macy, and J. Skvoretz, “The evolution of trust and cooperation between strangers: a computational model”, American Sociological Review, 63, pp. 638-660, 1998. [5] Z. Yan, Y. Chen, and Y. Shen, “A practical reputation system for pervasive social chatting”, Journal of Computer and System Sciences, 2012. DOI: 10.1016/j.jcss.2012.11.003 [6] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute based encryption”, Proc. of IEEE S&P, pp. 321–334, 2007. [7] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data”, Proc. of the 13th ACM CCS, pp. 89–98, 2006. [8] S. Müller, S. Katzenbeisser, and C. Eckert, “Distributed attribute-based encryption”, Proc. of the 11th Annual Int. Conf. on Information Security and Cryptology, pp. 20–36, 2008. [9] A. Sahai and B. Waters, “Fuzzy identity-based encryption”, Proc. of 24th International Conference on the Theory and Application of Cryptographic Techniques, pp. 457–473, 2005. [10] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, and fine-grained data access control in cloud computing”, Proc. of IEEE INFOCOM, pp. 534–542, 2010. [11] Z. Wan, J. Liu, and R.H. Deng, “HASBE: a hierarchical attribute-based solution for flexible and scalable access control in cloud computing”, IEEE Tran. on Info. Forensics & Security, 7(2), pp. 743-754, 2012. [12] K. Govindan, and P. Mohapatra, “Trust computations and trust dynamics in mobile adhoc networks: a survey”, IEEE Communications Surveys & Tutorials, 14(2), pp. 279-298, 2012. [13] EZSetup. http://research.microsoft.com/enus/groups/wn/mssn.aspx. [14] Nokia instant community. http://conversations.nokia.com/2010/05/25/nokia-instantcommunity-gets-you-social/. [15] Familiar Stranger. http://www.paulos.net/research/intel/familiarstranger/index.htm. [16] H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, “Security in mobile ad hoc networks: challenges and solutions”, IEEE Wireless Communication, 11(1), pp. 38-47, 2004. [17] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: ubiquitous and robust access control for mobile ad hoc networks”, IEEE/ACM Trans. on Networking, 12(6), pp. 10491063, 2004. [18] Facecloak. http://crysp.uwaterloo.ca/software/facecloak/